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February 15,2018 


Mr. Jeffrey P. Bezos 
President, Chief Executive Officer, 
and Chairman of the Board 
Amazon.com, Inc. 

410 Terry Avenue North 
Seattle, WA 98109 

Dear Mr. Bezos: 

Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


' Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

_ Natl Instl of Standards and Tech., “70N AN B15 H328. Provable Security for Next-Generation Cryptography;” 

Nat’l Sci. Found., “Award 1514261, TWC: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaw's Put Virtually Ail Phones, Computers at Risk,” January 04, 
2018, Accessed January 31,2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all- 
phones-computers-at-risk-idUSKBN 1 F.S 1 BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity risks we face. 8 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given tire number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 
Although securi ty researchers i nitially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018, In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign: government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the lull picture of the 
impact of these vulnerabil i ties, including who is affected, when they kne w, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S, or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat’] last, of Standards and Tech,, Computer Security Resource Center, “Noil-Invasive Attack Testing Workshop,” 

Updated August 17, 2011 , available at: https://csrc.mst.gov/Evehts/2011/Non-Invastve-Aitack-Testing-Workshop; 
International Organization for Standardization, “ISO/IEG 17825:2016: Information Technology - Security 
Techniques - Testing Methods for the Mitigation of Nan-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https ://www.iso.org/standard/52906.htm!; International Organization for Standardization, “ISO/lEC 
17825:2016: Information Technology - Security Techniques - Testing Methods for the Mitigation of Mon-Invasive 
Attack Classes against Cryptographic Modules,” January 2016, https://www. iso.org/s(andard/60612.html 
3 Scbneier, Bruce, ‘‘The New Way Your Computer Can Be Attacked,” The Atlantic, January 22. 2018. accessed 
February 01, 2018, https://www.theatlantic.corn/technology/archive/2018/01/spectre-nieltdown- 
cybersecurity/551147/. 

9 Newman, Lijy Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23, 2018, 
accessed February 1,2018, https :/Av w w. wired. co m/stoiy/me ltdo wn-spectre-patching-to tal - train-wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese: Companies of Chip Flaws before U.S. Government,” 
January 28, 2018, accessed February 1, 2018, https://www.wsjxom/articles/intel-warned-chinese-companies-of- 
chip-flaws-before-u-s-govemment-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 


Ranking Member 


JOHN THUNE, SOUTH DAKOTA. CHAIRMAN 


ROGER WICKER, MsSSISSiPPl 
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February 15,2018 


Mr. Tim Cook 
Chief Executive Officer 
Apple Inc. 

1 Infinite Loop 
Cupertino, CA 95014 


Dear Mr, Cook: 


Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown" 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’l Instl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generalion Cryptography;” 

Nat’l Sci. Found., “Award 1514261, TWC: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Hom, Jann, “Reading Privileged Memory with a Side-Channel,” January 3,2018; Kocher, Paul, Daniel Genkin, 
Daniel Grass, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Grass, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3,2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,’’ “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January' 31,2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all- 
phones-computers-at-risk-idUSKBN 1 ESI BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity risks we face. 8 9 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While We recognize industry'’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities.^ 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017. the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you fust become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat’l Inst, of Standards and Tech., Computer Security Resource Center, “Non-Invasive Attack Testing Workshop,” 

Updated August 17, 201 1, available at: https://csrc.ri.ist,gov/E^vents/2011/Non-Invasive-Attack-Testing-Workshop; 
International Organization for Standardization, “ISO/IEC 17825:2016: Information Technology -Security 
Techniques; - Testing Methods for the Mitigation of Non-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www.iso.org/standard/52906.html; International Organization for: Standardization, “ISO/IEC 
17825:2016: Information Technology - Security Techniques - Testing Methods for the Mitigation of Non-Invasive 
Attack Classes against Cryptographic Modules” January 2016, https://www.iso.org/standard/60612.html 
a Schneier, Bruce, “The New Way Your Computer Can Be Attacked,” The Atlantic, January 22,2018, accessed 
February 01,2018, https://www.theatlantic.com/techrtology/archive/20] 8/01/spectre-meltdown- 
cybersecurity/551147/, 

9 Newman, Eily IJay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23, 2018, 
accessed February 1,2018, https://www.wired.com/story/meltdqwn-5pectre-patching-total-tram~wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U'.S. Government,” 
January 28,2018, accessed February I, 2018, https://www.wsj,com/articles/intel-wamed-chinese-companies-of- 
chip-flaws-before-u-s-govemment-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 


Ranking Member 
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February 15,2018 


Mr. Jensen Huang 

President and Chief Executive Officer 
NVIDIA Corporation 
2788 San Tomas Expressway 
Santa Clara, CA 95051 

Dear Mr. Huang: 

Academic and independent security researchers,' some of whom were federally-funded, 1 2 recently 
discovered three vulnerabilities in modern computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the w'orst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’i Inst! of Standards and Tech., “70NANB15H32S, Provable Security for Next-Generation Cryptography;” 
Nat’l Sci. Found., “Award 1514261, TWC: Medium; Apollo; An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sei. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing,” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuva! Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03,2018; Lipp, Moritz, Michael 
Schwarz, Daniel Gruss, Thomas Prescher, Wemer Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03,2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018, 

4 Nafl Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
httpsr/Avww. us-cert.gov/ncas/alerts/TA18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31, 2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtuaily-all- 
phones-computers-at-risk-idUSKBN 1ESI BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity risks we face. 8 9 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these, vulnerabilities'.^ 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and hoW did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities Were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat’l Inst, of Standards and Tech,, Computer Security Resource Center, "Non-Invasive Attack Testing Workshop,” 
Updated August 17, 2011, available at: https://qsrc.n]st,gov/Events/2011/Non-Invasive-Attack-Testing-Workshop; 
Internationa! Organization for Standardization, ‘TSQ/IEG 17825:2016: information Technology — Security 

Techniques - Testing Methods for the Mitigation of Non-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www.isq.org/standard/52906.html;: International Organization for Standardization, “ISO/1EC 
17825:2016: Information Technology - Security Techniques - Testing Methods for the Mitigation of Non-Invasive 
Attack Classes against Cryptographic Modules,” January 2016, https://www.iso.org/standard/60612.html 
s Schneier, Bruce, "The New Way Your Computer Cart Be Attacked,” The Atlantic, January 22,2018, accessed 
February 01,20i8, https://www.th eat!antic.com/technology/archive/2018/01 /spectre-meItdown- 
cybersecurity/551147/, 

9 Newman, Lily Hay, "Meltdown arid Spectre Patching has been a Total Train Wreck,” Wired, January 23,2018, 
accessed February 1,2018, https://wWw.wired.com/st6ry/meitdown-speqtreTpatching-total-train-wreck/ 

1U McMillan, Robert, and Liza Lin, "Intel Warned Chinese Companies of Chip Flaws before U.S, Government.” 
January 28, 2018, accessed February 1,2018, https://www.wsj.com/articles/inteI-wamed-chinese-companies-of- 
chip-flaws-before-u-s-gdvemment-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 
Ranking Member 


JOHN THUNE, SOUTH DAKOTA, CHAIRMAN 


ROGER WICKER. MISSISSIPPI 
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February 15, 2018 


Mr. Brian M. Krzanich 
Chief Executive Officer 
Intel Corporation 
2200 Mission College Boulevard 
Santa Clara, CA 95054 


Dear Mr. Krzanich: 


Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 5 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 3 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’I Inst! of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 

Nat’l Sci. Found., “Award 1514261, TWC: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’I Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3,2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail "and“CVE-2017-5715 Detail ” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4,2018, 
https://www.us-cert.gOv/ncas/alerts/T A18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk," January 04, 
2018, Accessed January 31,2018, hltps://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all- 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity risks we face. 8 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 
Although security researchers initially informed certain Companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encour agement of public-private partnerships to share cyber threat information: and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as tire Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat*) Inst of Standards arid Tech., Computer Security Resource Center, “Non-Invasive Attack Testing Workshop,” 
Updated August 17,201 \> available at: https://csrc.nist, gov/E vents/2011/Non-Invasive-Attack-Testing-Workshop; 

International Organization for Standardization, “ISO/IEC 17825:2016: Information Technology - Security 
Techniques ™ Testing Methods for the Mitigation of Non-Invasive Attack Classes against Cryptographic Modules/ 7 
January 2016, https://wwwjso.org/standard/52906.htnil; International Organization for Standardization, ' c ISO/]EC 
17825:2016: Information Technology - Security Techniques - Testing Methods for the Mitigation of Non-In vasive 
Attack Classes against Cryptographic Modules,” January 2016, littps://wwwjso,org/standard/60612,html 
Schneier, Bruce, “The New Way Your Computer Can Be Attacked/ 7 The Atlantic* January 22, 2018, accessed 
February 01/2018, https://wwwdheatlanticx6in/technology/archive/20I8/01/spectre~meJtdown- 
cybersecurity/551147/. 

9 Newman, Lily Hay, -'Meltdown and Spectre Patching has been a Total 1 rain Wreck/' Wired, January 23,2018, 
accessed February 1,2018, https://www.wired.com/story/mehdown-spectre-patching-total-train-wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S, Government/ 7 
January 28,2018, accessed February U 2018, https://www.wsjxom/articles/intei-wamed-chinese-companies-of“ 
chip-tlaws-before-u-s-govemment-i517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1,2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN TFIUNE 
Chairman 


BILL NELSON 


Ranking Member 


JOHN THtjNE. SOOTH DAKOTA, CHAIRMAN 
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February 15, 2018 


Mr. Satya Nadella 
Chief Executive Officer 
Microsoft Corporation 
One Microsoft Way 
Redmond, WA 98052 


Dear Mr. Nadella: 


Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’l Instl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 

Nat’l Sci. Found., “Award 1514261, TWC: Medium; Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Grass, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Grass, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January' 4,2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31,2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all- 
phones-computers-at-risk-idU SKBN1ES1BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cyber security risks we face. 8 9 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry ’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities^ 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018, In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, thefull picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cyhersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of cyhersecurity research and standards development. Cybersecurity 
remains apriority for the Committee, and we request written responses to the following 
questions as tire Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U,S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such enti ty and when 
you communicated with them. 


7 Nat’l Inst, of Standards and Tech., Computer Security Resource Center, “Noh-Invasive Attack Testing Workshop,” 
Updated August 17, 2011, available at: https://csrc.nist.gov/Event5/2011/Non-lnvasive-Attack-Testing-Workshop; 
International Organization for Standardization, “ISO/IEC 17825:2016: Information Technology - Security 
Techniques - Testing Methods for the Mitigation of Non-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www.iso.org/standard/52906.html; International Organization for Standardization, “ISO/IEC 
17825:2016: infonnation Technology - Security Techniques - Testing Methods for the Mitigation of Non-Invasive 
Attack Classes against Cryptographic Modules,” January 2016, https :/Avww. iso.org/standard/606i2.html 

8 Sclineier, Bruce, “The New Way Your Computer Can Be Attacked,” The Atlantic, January 22,2018, accessed 
February 01,2018, https://www.theatlantic.com/techno!ogy/archive/2018/01/spectre-ineltdown- 
cybersecurity/551147/. 

9 Newman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23.2018, 
accessed February 1,2018, https://www.wired.com/story/meItdown-spectre-patching-total-train-wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S. Government,” 
January 28, 2018, accessed February 1, 2018, http s;//w ww.wsj.com/arti cles/intel-warned-Chinese-companies-of- 
chip-flaws-before-u-s-goveiiiment-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 


Ranking Member 


JOHN THUNE. south Dakota. chairman 
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February 15, 2018 


Mr. Sundar Pichai 
Chief Executive Officer 
Google LLC 

1600 Amphitheatre Parkway 
Mountain View, CA 94043 

Dear Mr. Pichai: 

Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modern computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


' Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’l lnstl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 

Nat’1 Sci. Found., “Award 1514261, TWC: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’1 Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Grass, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Grass, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018. 

4 Nat’1 Inst, of Standards and Tech., Nat’1 Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4,2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4,2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31,2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtuaHy-all- 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 * These types of novel hardware 
vulnerabilities may Represent the future of the potential cyber security risks we face.® They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry's coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questi ons as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Seriate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat’l InSt, of Standards and Tech., Computer Security Resource Center, “Non-Invasive Attack Testing Workshop,” 
Updated August 17. 2011, available at: https://csrc.iiist.gov/Events/2011 /N on-Invas i ve -Attack-Testin g- Work shop; 
International Organization for Standardization, “ISO/IEC 17825:2016: Information Technology - Security 
Techniques -- Testing Methods for the Mitigation of Non-InvasiVe Attack Classes against Cryptographic Modules,” 

January 2016, https://www.iso.org/standard/52906.html; International Organization for Standardization, ‘/ISO/IEC 
17825:2016: Information Technology- Security Techniques - Testing Methods for the Mitigation of Non-Invasive 
Attack Classes against Cryptographic Modules,” January 2016, https://www.iso.org/standard/60612.htmJ 
K Schneter, Bruce, “The New Way Your Computer Can Be Attacked,” The Atlantic , January 22, 2018, accessed 
February 01,2018, http s: // ww w .theatlantic.com/technology/archive/2Ql 8/01/spectre-meltdown- 
cybersecurity/551147/. 

7 Newman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23,2018, 
accessed February 1, 2018, https://www,Wired.com/story/meltdown-spectre-patching-total-train-wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S, Government,” 
January 28,2018, accessed February 1,2018, https://www.wsj.com/articles/inteFwamed-chinese-companies-of- 
chip-flaws-before-u-s-govemment-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 


Ranking Member 


JOHN TWLSNE, SDUTH DAKOTA,, CHAIR MAM 
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February 15,2018 


Mr. Chuck Robbins 

Chairman and Chief Executive Officer 

Cisco Systems, Inc. 

170 West Tasman Drive 
San Jose, CA 95134 

Dear Mr. Robbins: 

Academic and independent security researchers. 1 some of whom were federally-funded. 2 recently 
discovered three vulnerabilities in modern computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


! Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus, 

2 Nat’I Instl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 

Nat’I Sci. Found., “Award 1514261, TWC: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing,” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3,2018. 

4 Nat’I Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4,2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A, 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January' 04, 
2018, Accessed January 31,2018. https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all- 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity riskswe face. 8 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities, 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-pri vate partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as die Committee looks for lessons and recommendations to be better prepared to 
address cyberseeurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each/such entity and when 
you communicated with them. 


7 Nat’I Inst, of Standards and Tech., Computer Security Resource Center, “Non-lnvasive Attack Testing Workshop,” 
Updated August 17, 2011, available at: https://csrc.njst.gOY/Events/20] l/Non-Invasive-Attack-Testiitg-Workshop; 
International Organization for Standardization, TSO/IEC 17825:2016: Information Technology - Security 
Techniques- Testing Methods for the Mitigation of Non-lnvasive Attack Classes against Cryptographic Modules.” 
January 2016, https://www.iso.org/standard/52906.html; International Organization for Standardization, TSO/IEC 
17825:2016: Information Technology— Security Techniques — Testing Methods for the Mitigation of Non-lnvasive 
Attack Classes against Cryptographic Modules,” January 2016, https://www.iso.org/standard/60612.html 

8 Schneier, Bruce, ‘The New Way Your Computer Can Be Attacked,” The Atlantic, January 22, 2018, accessed 
February 01,2018, https://w ww.theatiantic.com/technology/archive/2018/01 /spectre-meltdown- 
cybersecurity/551147/. 

9 Newman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23,2018, 
accessed February 1, 2018, https://www,wired.com/story/me!tdowh-spectre-patching-total-train-wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S. Government,” 
January 28,2018, accessed February I, 2018, https://www.wsj.eom/articles/intel-wamed-chinese-companies-of- 
chip-flaws-before-u-s-go vemment-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not folly mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 
Ranking Member 
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February 15, 2018 


Ms. Virginia M. Rometty 

Chairman, President, and 

Chief Executive Officer 

International Business Machines Corporation 

1 New Orchard Road 

Armonk, NY 10504 

Dear Ms. Rometty: 

Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 


According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the IJ.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


' Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’l Instl of Standards and Tech., “70NANBI5H328, Provable Security for Next-Generation Cryptography;” 

Nat’1 Sci. Found., “Award 1514261, TWC: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Grass, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03,2018; Lipp, Moritz, Michael 
Schwarz, Daniel Grass, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03,2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “C VE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4,2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31,2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-al 1- 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 * These types of novel hardware 
vulnerabilities may represent the future of the potential eybersecurity risks we face. E They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process: to disclose and mitigate these vulnerabilities. 9 
Although security researchers initi ally informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities . 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address eybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat’l Inst, of Standards and Tech., Computer Security Resource Center, “Non-Invasive Attack Testing Workshop,” 

Updated August 17, 2011, available at: https://csrc.nist.gov/Events/2011 /N on-Inva s ive- Attack-Testing-Workshop; 
International Organization for Standardization, ‘iSO/IEC i 7825:2016: Information Technology - Security 
Techniques- Testing Methods for the Mitigation of Non-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www.iso.org/standard/52906,himl; International Organization for Standardization, “ISO/IEC 
17825:2016: Information Technology - Security Techniques — Testing Methods for the Mitigation of Non-Invasive 
Attack Classes against Cryptographic Modules,” January 2016, https://www.iso.org/standard/60612.html 
3 Schneier. Bruce, “The New Way Your Computer Can Be Attacked,” The Atlantic, January 22, 2018, accessed 
February 01, 2018, http5://www.theatiantic.coni/technology/archive/20tl8/0l/spectre-meltdown- 
cybersecurity/551147/, 

7 NeWman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck ” Wired, January 23,2018, 
accessedFebruary 1,2018, https ://www.wired.coni/ , story/meltdown-spectre-patching-tota]-train-wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S, Government,” 
January 28,2018, accessed February 1, 20.18, bttps://www.wsj:Com/aiticles/intel-wamed~chinese-companies-of- 
chip-tJaws-betbre-u-s-government-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 

Sincerely, 

JOHN THUNE BILL NELSON 

Chairman Ranking Member 
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February 15,2018 


Mr. Simon Segars 
Chief Executive Officer 
ARM Holdings PLC 
150 Rose Orchard Way 
San Jose, CA 95134 

Dear Mr. Segars: 

Academic and independent security researchers, 1 some of whom were federally-funded, 2 3 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades? These side-channel vulnerabilities, 4 5 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information.' 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

1 Nat’l Instl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 
Nat’l Sci. Found., “Award 1514261, TWC: Medium: Apolio: An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing,” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Grass, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution ” January 03,2018; Lipp, Moritz, Michael 
Schwarz, Daniel Grass, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03,2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
https://www.us-cert.gov/ncas/alerts/TA18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31, 2018, https://www.reuters.com/article/us-cyber-intel/security-fiaws-put-virtually-ail- 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential eybersecurity risks we face. 8 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce eybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of eybersecurity research and standards development. Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address eybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat’l inst. of Standards and Tech,, Computer Security Resource Center, "Non-Invasive Attack Testing Workshop,” 

Updated August 17 : , 2011, available at: https://esrc.nist.gov/Events/2011/Non-Invasive-Attack-Testing-Workshop; 
International Organization for Standardization, “ISO/IEC 17825:2016: Information Technology - Security 
Techniques - Testing Methods for the Mitigation ofNon-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www.isQ.org/standard/52906.html; International Organization for Standardization, “ISO/IEC 
17825:2016: Information Technology-SecurityTechniques - Testing Methods for the Mitigation ofNon-Invasive 
Attack Classes against Cryptographic Modules,” January 2016, https://www.iso.org/standard/60612.html 
3 Schneief, Bruce, “'Hie New Way Your Computer Can Be Attacked,” The Atlantic, January 22, 2018, accessed 
February 01,2018, https://www,theatiantic.com/techhology/archive/2G18/01/spectre-meltdown~ 
cybersecurity/551147/, 

9 Newman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23, 2018, 

accessed February 1, 2018, https://www.wired,conVstory/ineItdo wn-spectre-patching-total-train-wreck/ 
iB McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S. Government,” 
January 28, 2018, accessed February 1,2018, https://www.wsj.com/articles/inteI-wamed-chinese-companies-of- 
ch ip-flaws-be fore-u-s-government-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and. if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 


Ranking Member 
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Dr. Lisa Su 

President and Chief Executive Officer 
Advanced Micro Devices, Inc. 

2485 Augustine Drive 
Santa Clara, CA 95054 

Dear Dr. Su: 

Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modern computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Natl Instl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 

Nat’l Sci. Found., “Award 1514261, TWC: Medium; Apollo; An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Hom, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Slefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology. “Meltdown,” 
January 3,2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail ” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31,2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-alT 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity risks we face. 8 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 
Although security researchers initially informed certain companies of the vulnerabilities in June: 
of 2017, the vulnerabilities were not widely disclosed until January of 2018, In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices: and the promotion of cybersecurity research and standards development. Cyberseeurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify-each such entity and when 
you communicated with them. 


7 Nat’i Inst, of Standards and Tech., Computer Security Resource Center, “Non-lnvasive Attack Testing Workshop,” 
"Updated August 17, 201L, available at: https: //c s rc, ni st. go v/E vents/2 011 /Non-in vasive -A ttack-Te sting-Work shop; 
International Organization for Standardization. “ISO/IEC 17825:2016: Information Technology ■- Security 
Techniques — Testing Methods for the Mitigation of Non-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www.iso.org/standard/52906.html; International Organization for Standardization, “ISO/IEC 

17825:2016: Information Technology — Security Techniques - Testing Methods for the Mitigation of Non-Invasive 
Attack Glasses against Cryptographic Modules,” January 2016, https://www.iso.org/standard/60612.httnl 

8 Schneier, Bruce, “The New Way Your Computer Can Be Attacked,” The Atlantic, January 22, 2018, accessed 
February 0.1,2018, https://www.theatlantic,com/technology/archive/20I8/01/spectre-meltdown- 
cybersecurity/551L47/. 

9 Newman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23,201.8, 
accessed February 1,2018, https://www.wired.com/story/meltdown-spectre-patching-total-train-wreck/ 

McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S. Government,” 
January 28, 2018, accessed February 1, 2018, https://www.wsj.com/articles/intel-wamed-cbinese-companies-of- 
chip-flaws-before-u-s-government-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 



Sincerely, 



JOHN THUNE 
Chairman 


BILL NELSON 


Ranking Member 


JOHN THLfNE. SOUTH DAKOTA, CHAIRMAN 
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February 15. 2018 


Mr. Yang Yuanqing 

Chairman and Chief Executive Officer 

Lenovo Group Limited 

1009 Think Place 

Morrisville, NC 27560 

Dear Mr. Yuanqing: 

Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U.S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 


1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’! Instl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 

Nat’l Sci. Found., “Award 1514261, TWO: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’! Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03,2018; Lipp, Moritz, Michael 
Schwarz. Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 2018; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
https://www.us-cert.gov/ncas/aierts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31,2018, https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all- 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity risks we face. 8 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented given the number 
of organizations and products affected. 

While we recognize industry’s coordinated response to this Ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 10 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
Communicated,: and what steps they have taken in response, is far from clear. 

The Seriate Commerce Committee has previously sought to reduce cybersecurity risks: through 
the encouragement of pub lie-private partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development, Cybersecurity 
remains a priority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address cybersecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3 , Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities were publicly disclosed? If so, please identify each such entity and when 
you communicated with them. 


7 Nat’1 Inst, of Standards and Tech., Computer Security Resource Center, “Non-ln vasive Attack Testing Workshop,” 

Updated August 17,2013, available at: https://esrc.nist.gov/Events/2011 /Non-ln vasive-Attack-Testing-Workshop: 
Internationa! Organization for Standardization, “ISO/IEC 17825:2016: Information Technology - Security 
Techniques ~ Testing Methods for the Mitigation of Non-In vasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www,iso.org/standard/52906,htrri]; International Organization for Standardization, “ISO/IHC 
17825:2016: Information Technology - Security Techniques - Testing Methods for the Mitigation of Non-In vasive 
Attack Classes against Cryptographic Modules?’ January 2016, https://www,iso.org/staridard/60612.html 
6 Schneier, Bruce, '"The New Way Your Computer Can Be Attacked,” The Atlantic* January 22, 2018, accessed 
February 01,2018, https://www.theatlantic.com/technology/archive/2018/01/spectre-meltdown- 
cybersecurity/5 5 1147/. 

9 Newman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23,2018, 
accessed February 1,2018, https://www.wired.com/stoiy/meltdown-speCtre~patchirig-totaktram-wreck/ 

10 McMillan, Robert, and Liza Lin,-“Intel Warned Chinese Companies Of Chip Flaws before U.S. Government,” 
January 28, 2018, accessed February 1, 2018, https://www.wsj.com/articles/intel-wamed-chinese-companies-of- 
chip-flaws-be fore-u-s-go vemmen t-1517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


Ranking Member 


BILL NELSON 
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February 15,2018 


Mr. Ren Zhengfei 
Deputy Chairman of the Board 
and Chief Executive Officer 
Huawei Technologies, Co., Ltd. 
c/o Huawei Technologies USA 
5700 Tennyson Parkway Suite 500 
Plano, TX 75024 

Dear Mr. Zhengfei: 

Academic and independent security researchers, 1 some of whom were federally-funded, 2 recently 
discovered three vulnerabilities in modem computer processers that have existed for more than 
two decades. 3 These side-channel vulnerabilities, 4 which researchers have named “Meltdown” 
and “Spectre,” could allow sophisticated hackers access to stored passwords, encryption keys, 
and other highly sensitive information. 5 

According to one of the researchers, the Meltdown vulnerability is “probably one of the worst 
CPU [central processing unit] bugs ever found,” 6 while Spectre, although arguably more difficult 
to exploit, presents more significant challenges to mitigate or patch. For years, the National 
Institute of Standards and Technology (NIST) within the U,S. Department of Commerce has 
been concerned with such side-channel attacks and their impact on cryptography. In 2011, NIST 
held a testing workshop and coauthored standards in cooperation and accordance with the 

1 Affiliated with Google’s Project Zero, Graz University of Technology, University of Pennsylvania, University of 
Maryland, University of Adelaide, Cyberus, and Rambus. 

2 Nat’l fnstl of Standards and Tech., “70NANB15H328, Provable Security for Next-Generation Cryptography;” 

Nat’l Sci. Found., “Award 1514261, TWC: Medium: Apollo: An Architecture for Scalable Verifiable Computing;” 
and Nat’l Sci. Found., “Award 1652259, CAREER: Towards Practical Systems for Trustworthy Cloud Computing.” 

3 Horn, Jann, “Reading Privileged Memory with a Side-Channel,” January 3, 2018; Kocher, Paul, Daniel Genkin, 
Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and 
Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution,” January 03, 2018; Lipp, Moritz, Michael 
Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval 
Yarom, and Mike Hamburg, “Meltdown,” January 03, 20 i 8; Galowicz, Jacek, Cyberus Technology, “Meltdown,” 
January 3, 2018. 

4 Nat’l Inst, of Standards and Tech., Nat’l Vulnerability Database, “CVE-2017-5754 Detail,” “CVE-2017-5733 
Detail,” and “CVE-2017-5715 Detail,” January 4, 2018. 

5 “Alert (TA 1804A): Meltdown and Spectre Side-Channel Vulnerability Guidance,” January 4, 2018, 
https://www.us-cert.gov/ncas/alerts/TA 18-004A. 

6 Busvine, Douglas, and Stephen Nellis, “Security Flaws Put Virtually All Phones, Computers at Risk,” January 04, 
2018, Accessed January 31, 2018, https://www.reuters.com/artide/us-cyber-intel/security-flaws-put-virtually-all- 
phones-computers-at-risk-idUSKBN 1ES1 BO. 
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International Organization for Standardization (ISO). 7 These types of novel hardware 
vulnerabilities may represent the future of the potential cybersecurity risks we face. 8 They have 
few countermeasures, and the scope of these vulnerabilities is unprecedented gi ven the number 
of organizations and products affected. 

While wu recognize industry’s coordinated response to this ubiquitous, complex problem, some 
security experts have been critical of the process to disclose and mitigate these vulnerabilities. 9 10 
Although security researchers initially informed certain companies of the vulnerabilities in June 
of 2017, the vulnerabilities were not widely disclosed until January of 2018. In addition, a 
handful of Chinese customers, but not the United States government, were initially informed as 
part of the coordinated response, raising questions as to whether a foreign government or 
malicious actors could have exploited the vulnerabilities. 50 As such, the full picture of the 
impact of these vulnerabilities, including who is affected, when they knew, with whom they 
communicated, and what steps they have taken in response, is far from clear. 

The Senate Commerce Committee has previously sought to reduce cybersecurity risks through 
the encouragement of public-private partnerships to share cyber threat information and best 
practices and the promotion of cybersecurity research and standards development. Cybersecurity 
remains apriority for the Committee, and we request written responses to the following 
questions as the Committee looks for lessons and recommendations to be better prepared to 
address eybefsecurity risks associated with these vulnerabilities in the future: 

1. When and how did you first become aware of these vulnerabilities? 

2. Which of your products are affected by these vulnerabilities and how are they affected? 

3. Did you communicate with any entity outside your company, including any U.S. or 
foreign government agencies, regarding these vulnerabilities prior to the date the 
vulnerabilities Were publicly disclosed? If so, please identity each such entity and when 
you communicated with them. 


7 Nath Inst, of Standards and Tech., Computer Security Resource Center, “Non-Invasive Attack Testing Workshop,’ 5 
Updated August 17, 201L, available at: https://csrc.nist.gov/Events/2011/Non-Invasive-Attack-Testing-Workshop; 

International Organization for Standardization, “ISO/IEC 17825:2016: Information Technology-Security 
Techniques — Testing Methods for the Mitigation of Non-Invasive Attack Classes against Cryptographic Modules,” 
January 2016, https://www.iso.org/standard/52906.html; International Organization for Standardization, “ISO/IEC 
17825:2016: Information Technology- Security Techniques — Testing Methods for the Mitigation of Noti-Invasive 
Attack Classes against Cryptographic Modules,” January 2016, https://www.iso.org/stahdard/60612.html 
3 Scbneier, Bruce, “The New Way Your Computer Cart Be Attacked,” The Atlantic, January 22, 2018, accessed 
February 01,2018, https://www.theat]anticxom/technology/archive/2018/01/spectre-ineltdown- 
cybersecurity/551147/. 

9 Newman, Lily Hay, “Meltdown and Spectre Patching has been a Total Train Wreck,” Wired, January 23,2018, 
accessed February l, 2018, https://www.wired.coni/story/meltdown-spectre-patching-total-train-wreck/ 

10 McMillan, Robert, and Liza Lin, “Intel Warned Chinese Companies of Chip Flaws before U.S. Government,” 
January 28. 2018, accessed February 1,2018, https://www.wsj.com/article 5 /intel-wamed-chinese-comparties-of- 
chip-flaws-before-u-s-:gpvemrnent-l 517157430 
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4. If you communicated with a U.S. government entity regarding these vulnerabilities prior 
to the date the vulnerabilities were publicly disclosed, what was the result of your 
communication? 

5. What steps have you taken to mitigate or patch these vulnerabilities? 

6. What is the status of user implementation of the steps you have taken or recommended to 
mitigate or patch these vulnerabilities in your products? Have you seen performance 
impacts associated with any patches? 

7. Do you believe the patches that have been released fully mitigate the vulnerabilities? If 
not, please identify any issues that are not fully mitigated by current patches. 

8. Can you detect if these vulnerabilities have been exploited and, if so, have any such 
exploitations occurred, to the best of your knowledge? 

9. To what degree are you coordinating your response with other companies? 

10. Do you have recommendations for further or future steps to be taken to reduce 
cybersecurity risks stemming from hardware vulnerabilities? What role, if any, do you 
think the U.S. Government should take in addressing hardware vulnerabilities or in 
response to their discovery? 

We look forward to receiving your written response as soon as possible, but by no later than 
March 1, 2018. Thank you for your consideration of this request. 


Sincerely, 




JOHN THUNE 
Chairman 


BILL NELSON 
Ranking Member 


